1 Reply Latest reply on Apr 4, 2019 4:11 PM by wolfgangknauf

Wildfly semicolon in cookie stripping

p_maheshbe Jan 12, 2018 8:10 AM

Hello

I was trying to upgrade from jboss 6.1 and Wildfly 10.0

I am setting the below cookie to java servlet response

set-cookie=JSESSIONID=Txx_ViSHTK6dPlKAmDSiq3YavD-9MiKACkxLWQWC.ppq02; path=/abc.processor;null

but while reading the cookies using HttpServletRequest.getCookies() always returns as null.

but if i change the cookie to

set-cookie=JSESSIONID=Txx_ViSHTK6dPlKAmDSiq3YavD-9MiKACkxLWQWC.ppq02 or set-cookie=JSESSIONID=Txx_ViSHTK6dPlKAmDSiq3YavD-9MiKACkxLWQWC.ppq02 path=/abc.processor null (without semi colon) its working good.

Do we need to add any other configuration to support semicolon as well.

environment & configuration changes.

Java version: 1.8.x

added allow-equals-in-cookie-value="true" in http-listener.

Any help is much appreciated.

Thank you

1. Re: Wildfly semicolon in cookie stripping

wolfgangknauf Apr 4, 2019 4:11 PM (in response to p_maheshbe)

This is an older question, but it was the first google hit when I ran into a similar issue when updating an older app. So here is the answer:

See RFC 6265, which describes the cookie format (https://tools.ietf.org/html/rfc6265#section-4.1.1), section 4.1.1: the cookie value can contain "US-ASCII characters excluding CTLs whitespace DQUOTE, comma, semicolon, and backslash".

Seems newer WildFly versions got more strict on this.

Best regards

Wolfgang
Actions